Hi all what is the best practice to handle secrets generated

Question

Hi all what is the best practice to handle secrets generated in pulumi for ephemeral env For ex I want to create new instance of mssql server on Azure with admin password in pulumi One way which comes to my mind is to handle it with Azure Key Vault to not loose this password but maybe there is better approach which works natively with pulumi Thanks

better-rainbow-14549 · Answer

you can use an encrypted pulumi secret

better-rainbow-14549 · Answer

our approach is use pulumi random to generate the password and put it in a keyvault

better-rainbow-14549 · Answer

also you might want to use an azure ad group instead of a single user as the admin

better-rainbow-14549 · Answer

so that you can add yourslef to it and log in for troubleshooting

better-rainbow-14549 · Answer

gray-lawyer-89054 · Answer

ok thanks I also thought about AD it but in my case it look as too big overhead What do you mean by `encrypted pulumi secret` is there any api to add entries to Pulumi stack yaml or generating passwords outside of pulumi and pass to it on `pulumi up` with secret

better-rainbow-14549 · Answer

yeah you can do pulumi config to set a secret

better-rainbow-14549 · Answer

and it will make an entry you can retrieve as normal

better-rainbow-14549 · Answer

but it will be encrypted in the yaml

gray-lawyer-89054 · Answer

sorry you mean to do it with `pulumi config set` command right

better-rainbow-14549 · Answer

yeah

gray-lawyer-89054 · Answer

ah ok thanks

better-rainbow-14549 · Answer

iirc its secret

gray-lawyer-89054 · Answer

+1

big-piano-35669 · Answer

If you want to ceate the secret programmatically you can use the `pulumi secret v ` function and it ll be encrypted in the state file just like the CLI does This combines nicely with what Oliver suggested eg generating it with the random package

gray-lawyer-89054 · Answer

yes right it looks like simplest option thanks